Dropbox Upgrades Security with Two-factor Authentication

Users who desire a higher level of security can enter a one-time passcode

The file-sharing utility Dropbox is now offering two-factor authentication, a system that makes it much harder for hackers to capture valid credentials for a person's account.

Dropbox, one of the most widely used web-based storage services, said last month it planned on introducing two-factor authentication after user names and passwords were stolen from another website and used to access accounts.

While it is relatively easy for hackers to obtain a person's user name and password using malware and social engineering, it is much harder for them to intercept one-time passcodes, although it is possible. The codes, sent by SMS (short message service) or generated by a device, expire quickly.

Users will first need to upgrade their client to version 1.5.12. The feature can be turned on through Dropbox's website on the "security" tab in a person's account settings. Users can opt to receive the six-digit code sent by SMS to their mobile phone when a new device is used to access their account.

A valid code can also be obtained by using an application that supports the Time-Based One-Time Password protocol, such as Google Authenticator, Amazon AWS MFA or Authenticator, according to Dropbox. Apple users can opt to generate a code from the terminal application using the OATH tool, Dropbox said.

While setting up two-factor authentication, users get a 16-digit backup code that can be used to unlock their account if they lose their phones and can't obtain codes through SMS or an application.

Dropbox users have reported a few problems on the company's forum, but were generally positive. Dropbox employee "Dan W." wrote on the forum that since SMS codes expire in about a minute, the company is working to make SMS deliveries faster, as well as adding new carriers.

"In the meantime, if SMS delivery is slow, I recommend using an offline app instead," he wrote.

Dropbox is also working on a feature for users to "untrust" their current browser or all other browsers, which would mean a code would be required upon the next attempted login. Dan W. wrote that "in the meantime, for testing purposes, you can untrust a computer by deleting Dropbox cookies."

Send news tips and comments to jeremy_kirk@idg.com

This story, "Dropbox Upgrades Security with Two-factor Authentication" was originally published by IDG News Service .

Join the discussion
Be the first to comment on this article. Our Commenting Policies